Remote Access Tools & Backdoors

The Attack

After gaining privileged access to the computer and extracting passwords and other information of interest, attackers will typically add applications that will give them long term access to the computer via remote access tools (RATs) and backdoors. Some remote access tools and backdoors accept incoming connections from the attacker. Others make outbound calls at regular intervals.

A similar malicious tool is Port Forwarding.

The Tools

Tools for the attack include: Netcat, PSExec, Back Orifice, Netbus, ProRat, Metasploit Meterpreter, VNC, Fpipe. In addition, some exploit kits such as Blackhole and Zeus contain their own tools.

Traditional Defenses

The traditional defense is to prevent access to the computer via Antivirus software, but by the time a backdoor is being added to the victim’s computer, it’s likely that the attacker will have disabled any antivirus or firewall that may have been running on the victim’s computer. However, application whitelisting may have mitigated the initial attack.

IDS/IPS can detect and mitigate some payloads. For example, if a "C:\>" is seen going over the wire on RPC, the IDS/IPS can trigger an alert or action.

For servers, another traditional defense that may detect this attack is File Integrity Monitoring (FIM).

Since attackers often schedule their backdoor to automatically reinstall itself at a certain time of day, one may be able to detect evidence of a “Scheduled Task” in the “\Windows\Tasks folder” (or a “cronjob” in the “crontab” directory for Linux).

Software Defined Perimeter

A Software Defined Perimeter enhances traditional defenses by preventing compromised unauthorized victims from accessing sensitive data. This reduces the attack surface from the thousands of employees to tens of authorized users.

Risk Assessment

Popularity High
Ease of Implementation High
Impact High
Remotely Exploitable Yes
Risk High